CN100546244C - Be used for IKMP and Verification System that secure content is sent on the internet - Google Patents

Be used for IKMP and Verification System that secure content is sent on the internet Download PDF

Info

Publication number
CN100546244C
CN100546244C CNB028227603A CN02822760A CN100546244C CN 100546244 C CN100546244 C CN 100546244C CN B028227603 A CNB028227603 A CN B028227603A CN 02822760 A CN02822760 A CN 02822760A CN 100546244 C CN100546244 C CN 100546244C
Authority
CN
China
Prior art keywords
content
key
consumer
message
caching server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB028227603A
Other languages
Chinese (zh)
Other versions
CN1631000A (en
Inventor
亚历山大·麦德文斯基
彼得·彼得卡
保罗·莫罗尼
埃里克·斯普龙克
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Google Technology Holdings LLC
Original Assignee
General Instrument Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by General Instrument Corp filed Critical General Instrument Corp
Publication of CN1631000A publication Critical patent/CN1631000A/en
Application granted granted Critical
Publication of CN100546244C publication Critical patent/CN100546244C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/101Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management

Abstract

The present invention discloses a kind of digital rights management framework, and it is used for to the consumer safety ground content delivery of authorizing.Described framework comprises content supplier (202) and from the consumer system (216) of content supplier's request content.Content supplier generates session right object (202B), and it has the purchase option that the consumer selects.KDC (204) provides authorization data to the consumer system thereafter.Simultaneously, provide caching server (215), be used for relatively buying option and authorization data.If buy option coupling authorization data, caching server (215) is transmitted to consumer system (216) with the content of request.Notice that buffer memory (215) server adopts real-time stream to transmit the content of encryption safely, and the content of request is encrypted, to be transmitted to consumer system (216).Further, (and being authentic) control messages of caching server (215) and consumer system (216) exchange encrypt is to support the content of transmission request.By this way, the total interface between the assembly is subjected to encipherment protection and/or authentication.

Description

Be used for IKMP and Verification System that secure content is sent on the internet
Cross-reference to related applications
The application requires to submit to November 15 calendar year 2001, be entitled as " KEY MANAGEMENTPROTOCOL AND AUTHENTICATION SYSTEM FOR SECUREINTERNET PROTOCOL RIGHTS MANAGEMENT ARCHITECTURE (IKMP and the Verification System that are used for safe the Internet protocol rights management framework) ", application number is 60/334,721 U.S. Provisional Patent Application, and submit to September 26 calendar year 2001, be entitled as " UNIQUE ON-LINE PROVISIONING OF USER SYSTEMSALLOWING USER AUTHENTICATION (the online supply of the uniqueness of the custom system of permission authentification of user) ", application number is the rights and interests of 09/966,552 U.S. Patent application; By reference that it is incorporated here, it is the same in this article, to be used for all purposes.The application relates to following U.S. non-provisional application: in the calendar year 2001 _ _ _ _ submit to, be entitled as " KEYMANAGEMENT INTERFACE TO MULTIPLE AND SIMULTANEOUSPROTOCOLS the key management interfaces of multi-protocols (simultaneously) ", application number for _ _ _ _ U.S. Patent application; In the calendar year 2001 _ _ _ _ submit to, be entitled as " ACCESS CONTROLAND KEY MANAGEMENT SYSTEM FOR STREAMING MEDIA (access control of Streaming Media and key management system) ", application number for _ _ _ _ U.S. Patent application; In the calendar year 2001 _ _ _ _ submit to, be entitled as " ENCRYPTION OF STREAMINGCONTROL PROTOCOLS SUCH AS RTCP AND RTSP AND THEIRHEADERS TO PRESERVE ADDRESS POINTERS TO CONTENT ANDPREVENT DENIAL OF SERVICE (encryption stream control protocol; for example RTCP and RTSP; and header;, and prevent denial of service) ", application number with the address pointer of protection content for _ _ _ _ U.S. Patent application; And in the calendar year 2001 _ _ _ _ submit to, be entitled as " ASSOCIATION OF SECURITY PARAMETERS FOR ACOLLECTION OF RELATED STREAMING PROTOCOLS:RTP; RTSP, RTCP (being used for the security parameter association of one group of related streams host-host protocol RTP, RTSP, RTCP) ", application number for _ _ _ _ U.S. Patent application; By reference that it is incorporated here, it is the same in this article, to be used for all purposes.
Background technology
Usually, the present invention relates to data communication field, more particularly, relate to digital rights management functionality, it is used for transmitting safely content between networking component.
Traditional be used for ensureing that the digital right management system of the fail safe of the content of transmitting by communication network (for example internet) is just becoming well-known.Because the basic problem that content supplier faces is undelegated use and the distribution that how to prevent digital content, needs right management system.Content supplier's care obtains remuneration from their content, and deprives these contents there from undelegated consumer.
Typically, many digital rights management scheme use " encrypt/decrypt " of digital content to realize.Encryption be with data transaction to elusive form, ciphertext for example, it is difficult to be understood by undelegated client.Deciphering is that encrypted content is changed back its primitive form, makes its understandable process that becomes.The simple letter that comprises in the alphabet of encrypting rotates, and replaces numeral with letter, and by transforming sideband frequency voice signal is carried out " disturbance ".More complicated encryption is according to the computerized algorithm work of complexity, and these algorithms are rearranged the data bit in the digital contents.
In order easily to recover the encrypted information content, need correct decoding key.This key is the parameter of encryption and decryption algorithm, and wherein in the encrypt and decrypt process, the different value of key produces uncertain different result.The size of key is big more, thereby also communication is decoded with regard to the more difficult value of guessing key right when not knowing key.Usually, there is two types the cipher key scheme that is used for encryption/deciphering system, just (1) PKS (public key cryptosyst) or asymmetric system, it utilizes two different keys, and one is used for encrypting, perhaps signature, one is used for deciphering, perhaps checking; (2) non-public key system is also referred to as symmetry or cipher key system, and in this system, typically, the encryption and decryption key is identical.In PKI and cipher key system, use key management to come distributed key also to authenticate the each side that receives key rightly.
A kind of key management system of the correlation technique in MIT exploitation is called the Kerberos agreement.Kerberos is a kind of IKMP, and it allows a side to set up shared session key with different network services, and it is by using the notion of KDC (KDC) and bill.Bill is used to the session key is delivered to server safely together with the sign of client (this bill is this client and sends).Bill can prevent to distort, and can be stored by client secure ground, thereby allows server to keep stateless (stateless) (server can heavily learn to talk about key in each client when it transmits bill).Like this, can support that aspect the client terminal quantity, the notion of bill has been improved the extensibility of server.Unfriendly, Kerberos is relatively complicated, and comprises a lot of different options, and it always is not applicable to application-specific.In addition, revising such complication system is not a kind of selection, and this is to introduce extra wrong risk because such modification to unfamiliar system has increased.In case another shortcoming of Kerberos be it the uncertain bill that obtains, details (some basic structural members only are provided) of between client and server, carrying out key management.
The growing interest of the stream distribution of content of multimedia on Internet protocol (IP) network is caused growing needs to key management system.The Aerocast network of the Aerocast company exploitation that a kind of such stream distribution system is a San Diego, CA TMDiscuss like that as reference Fig. 1, although existing first phase Aerocast network facility sending of content, its shortage fail safe and be used for the key management system of this network.
Fig. 1 is the block diagram of (Aerocast) network 100, and the stream that this network is used for the content on the convenient communication network transmits.Except that other assembly, network 100 comprises content supplier 102, and it generates the content at consumer 116, internet 114, and content transmits by its stream, and central server 104, and content supplier 102 is content distributed to it.Central server 104 comprises database 108, and it is used for content information stored, and search engine 110, and it is used for search database 108.Network 100 further comprises supply center 106, and caching server 112,113 and 115.
In operation, wish the consumer 116 of the content of accessed content provider 102, from nearest caching server (in this case, caching server 115) stream content.In not having the legacy system of caching server, need the consumer 116 of such content stream directly to obtain content from content supplier 102.This not only causes bad content quality, also may cause the time-delay that is associated with inadequate bandwidth.By using caching server, network 100 has been avoided and has directly been transmitted the shortcoming that digital content is associated from content supplier's 202 streams.For example, caching server 112,113 and 115 can be local DSL (Digital Subscriber Line) provider.
Network 100 provides further advantage.When search content, consumer 116 need not to search for any and all databases on the internet 114.Content supplier on the all-network 100 (comprising content supplier 102) is to independent central database 108 their content descriptions of issue.For example, for video content, this description can comprise movie name, performer or the like.In this way, when wanting content, consumer 116 uses search engine 110 search database 108.When finding content, database 108 is provided to the link of the content supplier 202 with the content of wanting thereafter.Afterwards, consumer 116 accessed content providers 102 are to check more detailed description and other metadata that is associated with this content.
A kind of mechanism is provided, thus consumer 116 will be the most close its tabulation of caching server offer content supplier 102.As the request responding to consumer 116, the most close suitable consumer 116 caching server is selected by content supplier 102, with stream content.Yet, should observe, in the Aerocast of today network, content is network 100 (in the clear) stream transmission pellucidly.Unfriendly, because not protected, content may cause content supplier and consumer's physical loss for undelegated consumer's intercepting.
Other disadvantage of network 100 comprises and lacks authentication, privacy, message integrity and continue protection.
Therefore, have the demand to addressing the above problem, the present invention has satisfied this demand.
Summary of the invention
The present invention relates to a kind of digital rights management framework, it is used for to mandate consumer safety ground content delivery, and is used for transmitting safely between variety of network components data.
According to a first aspect of the invention, this framework comprises the consumer system, and it is connected to content supplier by IP (Internet protocol) communication network.Framework further comprises KDC (KDC) and caching server, and it also is connected to communication network.Authorized user may wish to visit the content from content supplier.The user adopts the consumer system, for example, and with the content of selecting from the URL of content supplier to want.In turn, content supplier provides session right object to the consumer system, and this session right object is used for the content of access request.Session right object can comprise the purchase option that the user selects.Perhaps, but its content access rule.Buy the feature of option portrayal content, just whether it is free, still only available on subscription, by checking what number of times was paid, or the like.An example of content access rules is to specify the zone outside the geographical position can not carry out access to content.
After receiving session right object, the user is redirected to caching server.From this caching server, the content of request is spread delivers to the user.Notice that the user may before obtain the caching server bill from KDC.Bill is authentication token (token), and it can comprise client, server name, session key or the like.Bill further comprises authorization data, the service that its indication is subscribed to, user's means of payment or the like.Thereafter, this bill and session right object are presented to caching server, it compares with the user's selection in the session right object and/or content access rules and from the authorization data of bill.If being spread, information matches, content deliver to the user.By this way, provide a kind of framework, it provides content safely to authorized user, and the visit of refusal unauthorized user.
According to a further aspect in the invention, instructed a kind of managing entitlement framework, it is used for to authorized user content delivery safely.Framework comprise content supplier with from request content consumer system of content supplier.Content supplier generates session right object, and it has the purchase option that the consumer selects.KDC provides authorization data to the consumer system thereafter.In addition, provide caching server, it is used for relatively buying option and authorization data.If buy option coupling authorization data, caching server is transmitted to the consumer system with the content of request.Notice that caching server adopts real-time stream to send the content of encryption safely, and the content of request is encrypted, to send to the consumer system.Further, (and being authentic) control messages that caching server and consumer's systems exchange are encrypted is to support the content of transmission request.By this way, the total interface between the assembly is subjected to encipherment protection and/or authentication.
According to a further aspect in the invention, used a kind of right management method, it is used for arranging in advance safely content on caching server.This method comprises the step that content supplier, caching server and IKMP are provided.This agreement adopts multiple message, to transmit content safely.A kind of message is secret key request message, and it sends to caching server by content supplier.This message is used for the purpose of initialization key management.As the response to it, the key response message sends to content supplier by caching server.After interchange key request/key response message, set up a cover key, it is used to set up from content supplier sends to the secure content of caching server.
According to a further aspect in the invention, disclose a kind of agreement, it is used for protected data transmission security between the assembly of communication network.Agreement comprises the step that the central server with database is provided.Then, from content supplier to the central server published content.Further, agreement comprises the step that the book keeping operation central server is provided, and reports accounting information from caching server to the book keeping operation central server.In addition, provide provisioning database, wherein database uses consumer information to upgrade.Thereafter, agreement is used a kind of IKMP, is published to the safety of the data of central server with protection.In addition, when report accounting information and renewal provisioning database, data security is protected.
Advantageously, the present invention mixes public-key technology and symmetric key scheme, under the restriction of quick acquisition time and minimum code complexity, has obtained to be used for the fail safe that best " software " of content distribution is realized.And under this framework, network and service provider are separate, and it is integrated with particular network easily to have the ability.
Description of drawings
Fig. 1 is the block diagram of network, and the stream that this network is used for the content on the convenient communication network transmits.
Fig. 2 is the block diagram of IPRM (the Internet protocol rights management) system, this system integration ESBroker TMAgreement, with key management and the security application network to Fig. 1, it abides by an exemplary embodiment of the present invention.
Fig. 3 be when consumer's (client) when caching server (server) is initiated key management, the high-rise flow graph of fail safe and IKMP, it is in accordance with an exemplary embodiment of the present invention.
Fig. 4 be when caching server (server) when content supplier's (client) initiates key management, the high-rise flow graph of fail safe and IKMP, it is in accordance with an exemplary embodiment of the present invention.
Fig. 5 is a block diagram, and it describes consumer's the initial registration and the reception of content, and it abides by an exemplary embodiment of the present invention.
By the remaining part and the accompanying drawing of reference specification, can realize further understanding to person's character of the present invention and advantage.Should not be understood that to be limited to " step adds function " method to quoting of " step " of the present invention, and be not intended to refer to realization certain order of the present invention.Describe further characteristic of the present invention and advantage in detail below with reference to appended accompanying drawing, and the structure of various embodiment of the present invention and operation.In the accompanying drawings, the indication of identical reference numerals same or function on similar assembly.
Embodiment
Fig. 2 is the block diagram of IPRM (the Internet protocol rights management) system 200, this system integration ESBroker TMAgreement, with key management and the security application network 100 to Fig. 1, it abides by an exemplary embodiment of the present invention.
Except that other assembly, IPRM system 200 comprises content supplier 202, the consumer 216, internet 214, supply center 206, central server 205 (it comprises database 208 and search engine 210), caching server 212,213 and 215, the function of all said modules is similar with the corresponding assembly among Fig. 1.In addition, IPRM system 200 comprises KDC (KDC) 204, it comprises AS (certificate server) 207 (it is used for the 206 issue TGT (ticket-granting ticket) to the consumer), (it is used to provide the server ticket certificate to TGS (bill grant service device) 209, with the visit particular server), provisioning server 220, and book keeping operation center 211.KDC 204, book keeping operation center 211, supply center 206 all is positioned within the central location 218 with central server 205, with the supply of the service in the convenient IPRM system 200.
Further, IPRM system 200 comprises IPRM and acts on behalf of 202A (it is used to content supplier's 202 management rights management), session right object 202B (it is used to comprise the user and selects and content rule), IPRM acts on behalf of 212A (it is used to the management of caching server 212 management rights), IPRM acts on behalf of 213A (it is used to the management of caching server 213 management rights), IPRM acts on behalf of 215A (it is used to the management of caching server 215 management rights), IPRM acts on behalf of 216A (it is used to the management of consumer's 216 management rights), and reader (not shown) (it is positioned within the consumer 216, is used to receive the content of wanting).Although do not show that aforementioned components can be positioned within its assembly that is associated.For example, IPRM acts on behalf of 202A and can be positioned within the content supplier 202, rather than outside, as shown.
As explain, IPRM system 200 generally is used for convenient content and spreads in the mode of safety and deliver to consumer 216, it uses caching server 212,213 and 215.Content supplier 202 only provides content once, and it can be moved between the caching server thereafter.The purpose of caching server is that content is moved to from nearer place, the edge of IPRM system 200.This has improved streamed performance, and allows littler content supplier to sell their content, and need not to buy the hardware of the costliness that is used for Streaming Media.This also allows only to introduce IP multicast (communicating) at caching server between the single sender on the network and a plurality of recipient.Under present technology, the IP multicast is limited in local area network (LAN) than in that to carry out the IP multicast on the internet easier.
The present invention who abides by first embodiment is by KDC 204, and IPRM acts on behalf of 202A, 212A, 213A, 215A and 216A and provides fail safe to IPRM system 200.IPRM agency and KDC204 and supply center 206 provide authentication, privacy, integrality and access control instrument to all aspects of IPRM system 200.For example, can utilize before system comes stream content, must carry out registration process the consumer.IPRM system 200 provides secure registration to the consumer.Like this, in registration process, other people can not duplicate consumer 216 sign by the message between intercepting consumer 216 and the KDC 204.KDC 204 is the entities of being trusted, and provides key distribution to networking component, and its use symmetry is mixed with asymmetric arithmetic.These algorithms can use one or more software instructions to realize.Perhaps, they can provide in safety encipher hardware.
It is when content is transmitted between node that another of native system provides the aspect of fail safe, the interface between caching server and the content supplier 202.Other aspect that fail safe is provided is the installation of caching server, content sending from the content supplier to the caching server, and mobile content between caching server uses the report of data, book keeping operation, consumer's data updating, content is announced; And initial consumer is signatory.Although indication not persons of ordinary skill in the art will recognize that the safety that can also protect others, it is consistent with spirit of the present invention and scope.
KDC 204 can be the pure software protection with the IPRM assembly; it awards limited trust for consumer 216; it perhaps can be hardware security module; for the right of obtaining high-quality content from the right owner who requires high level of security; it can be enforceable, perhaps can be the combination of software and hardware.IPRM uses a kind of authenticate key management agreement, and it has enhanced scalability, can expand to the user in 1,000,000.This IKMP is called ESBroker TM(electronic security(ELSEC) broker) is the product of San Diego, CA motorola inc, by the full piece of writing of this specification is quoted.
ESBroker TMProtocol section ground is based on the Kerberos framework, and it comprises the mutual of client and centralized KDC (KDC 204) and each application server.The KDC client is any main frame, and it can send request to KDC.Within the IPRM system, this comprises consumer, caching server and other IPRM system component.Application server is any server of registering on KDC, and client can require to be used for the service ticket (for example caching server, book keeping operation center or the like) of this server.
As used herein, bill is the authentication token that is given client by KDC.Except that out of Memory, bill comprises the name of client, the name and the session key (symmetric cryptographic key) of particular server.Client name and session key need to be keep secret, and be called the secret key encryption of service key with another.Service key is a privacy key, and it only is in KDC and the bill known to the specified server.Because client does not have this service key yet, its ability is not deciphered this bill and is changed its content.Normally, client also needs to know session key, and because it can not obtain it from bill, KDC sends the independent copy of same session key to this client.
In order to authenticate the message that has bill (for example ESBroker secret key request message), client in this message, comprise bill and be used for the session key in the bill verification and value.Notice that the interior session key of bill is by the service key encryption with server.Specified server receives this message from client in bill, its can be enough its service key deciphering bill, the checking client name also obtains session key.Thereafter, use session key verify encryption verification and, thereby authenticate whole message.
This authentication based on bill is the part of Kerberos IETF (internet engineering task group) standard (RFC 1510), and also utilizes for the ESBroker agreement.Those skilled in the art also understand, and can adopt other authentication techniques based on other standard.Bill can have out of Memory, comprises the term of validity (time started and expired time), various mark, client authorization data or the like.The authorization data field can comprise service, geographical position, user's means of payment and other data relevant with subscriber authorisation of subscription.
Same main frame can be the KDC client at one time, is again application server.For IPRM system 200, agreement has adopted a series of message, with the client of realization system and the key management between the server interface.This IKMP is designed to be common to sets up secured session, rather than is confined to the IPRM system.These message are listed in following table 1, and describe further in the trifle that is entitled as the IPRM protocol message.
Table 1
Code Type of message Describe
1 CLIENT_ENROLL_REQ The client register requirement comprises client public key and other attribute
2 CLIENT_ENROLL_REP Client enrollment from KDC 204 is replied, and may comprise the client certificate that is used for PKI
3 AS_REQ Ticket-granting ticket request from certificate server
4 AS_REP Replying of certificate server comprises TGT
5 TGS_REQ Service ticket request from TGS server 209
6 TGS_REP From replying of TGS server 209, comprise service ticket
7 TKT_CHALLENGE This client of server requests is initiated key management
8 KEY_REQ The key management request of client
9 KEY_REP Key management from application server is replied
10 SEC_ESTABLISHED Affirmation from the client to the application server illustrates that fail safe sets up
11 ESB_ERR Error response message
12 INIT_PRINCIPAL_REQ Establishment is used for specific party's supply bill, if specific party does not still exist, it will be initialised in KDC 204 databases
13 INIT_PRINCIPAL_REP Return the supply bill that is used for specific party
14 DELETE_PRINCIPLE_REQ Delete specific ESBroker from KDC 204 databases TMThe party
15 DELETE_PRINCIPLE_REP Confirm DELETE_PRINCIPLE_REQ
16 SERVICE_KEY_REQ The service key that application server please be looked for novelty from KDC 204
17 SERVICE_KEY_REP KDC 204 returns new service key to application server
18 AUTH_DATA_REQ KDC 204 requests are used for specific party's authorization data.This can be verify data partly or entirely, it will appear in the bill that KDC 204 issues thereafter
19 AUTH_DATA_REP Authorization server returns the data of AUTH_DATA_REQ request
In operation, the cipher key management procedures between client and the server is divided into two stages: (1) generic phase, and wherein client and KDC 204 keep in touch, to obtain server ticket according to access server; (2) non-generic phase, wherein client is used the server ticket certificate, to form KEY_REQ (key request) message of giving server.In non-generic phase, DOI (domain of interpretation) object comprises information, its application-specific specific to general ESBroker IKMP (for example specific to the IPRM system).For example, in the cipher key management procedures between consumer 216 (client) and caching server 215 (server), generic phase relates to consumer 216 and obtains the server ticket certificate from KDC 204, with access cache server 215.Non-universal process relates to the use server ticket according to generating KEY_REQ message, and with access cache server 215, wherein KEY_REQ comprises the DOI object, and it comprises session rights, and session rights comprises the user and selects and (alternatively) content rule.Typically, such as content rule can be the restriction to the specific geographical area.It should be noted that content rule generally is applicable to all users.Further, use which message to depend on that key management still is that server is initiated by client in the agreement.If server is initiated, then except that other message, can also adopt TKT_CHALLENGE (ticket challenge) message, as reference Fig. 4 institute more clearly shows.
Fig. 3 be when consumer 216 (client) when caching server 215 (server) is initiated key management, the high-rise flow graph of fail safe and IKMP, it is in accordance with an exemplary embodiment of the present invention.
As shown, wish from the consumer 216 initiation cipher key management procedures of caching server 215 with the mode stream content of safety.This accomplishes to obtain the TGT (ticket-granting ticket) that is used for TGS server 209 by sending AS_REQ message to KDC 204.AS_REQ message comprises consumer 216 sign, the sign of KDC 204, and more specifically, KDC field or management domain, and nonce (nonce) are to connect itself and response.It also can comprise the symmetric encipherment algorithm tabulation, and it is supported by consumer 216.Certainly, made such hypothesis, consumer 216 all registers by KDC 204 with caching server 215, and KDC 204 can verify the sign of two nodes as the authenticator who is trusted.
As shown, as the response to AS_REQ message, KDC 204 checking TGT requests are checked consumer 216 validity with provisioning server 220, and are being responded to comprise the AS_REP message of TGT thereafter.The private part that it should be noted that TGT is encrypted by the service key with KDC204, and this key only is known to the KDC 204.Same KDC 204 service key also are used to authenticate the TGT of the cryptographic Hash that comprises encryption.Because consumer 216 does not know KDC 204 service key, it can not revise it, can not read the private part of bill.Because consumer 216 is still needing to know session key thereafter in the authentication of KDC 204, use another part copy of key protocol algorithm (for example, elliptic curve Diffie-Hellman) to consumer's 216 delivery session keys.
Receive and storage TGT after, consumer 216 prepares to begin to ask the stream content on the network.Send the TGS_REQ message that comprises TGT to KDC 204 (TGS server 209), to ask bills from caching server 215.It should be noted that consumer 216 can carry out extra supply action, for example customized specific content supplier.In addition, consumer 216 can create the tabulation of the caching server of preference.
As response to TGS_REQ message, send TGS_REP message from KDC 204 to consumer 216, it has the caching server bill.If there is the caching server of other preference, consumer 216 can use TGT to get in touch KDC 204, to obtain the caching server bill of the caching server that is used for preference.Can be buffered after these caching server bills, in order to the usefulness in future.Otherwise, from suitable caching server request content the time, obtain the caching server bill.
For some consumers, before issue caching server bill, KDC 204 at first needs to provisioning server 220 query subscription person's authorization datas.This finishes by exchange AUTH_DATA_REQ/AUTH_DATA_REP between KDC 204 and provisioning server 220.User authorization data can be inserted into bill.The caching server bill has the form identical with TGT, and it comprises session key, is used for the authentication of caching server 215.The private part of bill is encrypted with the service key of caching server 215, this key only be it with KDC 204 known to.Also with the cryptographic Hash authentication, this cryptographic Hash uses same service key to encrypt to bill.As the situation of TGT, consumer 216 can not revise this bill.Consumer 216 need be from the session key of caching server bill, with to server authentication oneself.The a copy of this session key is delivered to consumer 216, and it is used the TGT session key.
Begin process to TGS_REP message corresponding to the generic phase that marks above from AS_REQ message, wherein client and KDC 204 get in touch, to obtain the server ticket certificate, with access server.Because it is general, same process is used to protect other interface, comprises that the content from the content supplier to the caching server is sent; Operation report; Book keeping operation, or the like.Further, this causes safer IPRM system, and need not unnecessary or complicated option.And owing to reducing of complexity, problem is promptly differentiated and is corrected.
When reception comprises the TGS_REP message of caching server bill, send the KEY_REQ message that comprises this bill to caching server 215.Except that the caching server bill, KEY_REQ message comprises the MAC (message authentication code) of message, DOI (domain of interpretation) object and timestamp.The DOI object is used to carry the application information specific that is associated with this secured session.In the present embodiment, the DOI object comprises the session rights information that is used for consumer 216.Session rights is provided by content supplier 202.The reason that will the right of speech profit be encapsulated into the DOI object is session rights, and this certain content is sent framework specific to (comprising caching server), and the ESBroker agreement provides the universal key management service.ESBroker can be applied to the secured session of other type, and it is used information specific and also is encapsulated among the DOI object.
When caching server 215 received general KEY_REQ message, it extracted non-general DOI object.Check after the caching server 215, such as, be used for the specific code of streamed application, checking DOI object and authorization message.If the authorization data in the session rights coupling bill is then transmitted the KEY_REP message that comprises session key to consumer 216.Notice that authorization data is from bill, and session right object comprises user's selection and/or content rule.User's selection and authorization data and content rule are compared.If content rule is not within session right object, caching server must be to have used certain other method to obtain them from content supplier already.Further, have some content rules and originate, for example cable provider from other.
When session rights coupling authorization data, from this point, both sides all have protocol cipher, and can begin to encrypt their final message, for example flow content.If authorization failure is then transmitted error message to the consumer.It should be noted that in some instances KEY_REP message comprises general DOI object, wherein caching server 215 need return some to consumer 216 and use information specific.For example, in the IPRM system, when caching server sends ticket challenge to content supplier, during with the request secured session, session id is within the DOI object that later is provided in by caching server in the KEY_REP message.Ticket challenge message is unauthenticated, does not therefore comprise the DOI object.
This stage (KEY_REQ/KEY_REP), wherein client used server ticket according to the key request that forms to server corresponding to non-generic phase.These stage right and wrong are general, and this is because the DOI object changes with shielded interface.For example, relate to from content supplier to the DOI of caching server content delivery object be used for from caching server different to the DOI object that the subscriber sends same content.
Fig. 4 be when caching server 215 (server) when content supplier 202 (client) initiates key management, the high-rise flow graph of fail safe and a kind of possible IKMP, it is in accordance with an exemplary embodiment of the present invention.Notice that caching server also can use secret key request message to initiate key management with content supplier, as shown in Figure 3.Method shown in Figure 4 provides the optimization of the key management that server is initiated, and eliminated the needs that server obtains the potential a large amount of client bill of buffer memory then.
When receiving to requests for content, and caching server 215 do not have to be asked content the time, caching server 215 is initiated key managements.As shown, can initiate key management by sending TKT_CHALLENGE (ticket challenge) message to content supplier 202 from caching server 215.TKT_CHALLENGE uses for server, initiates key management with the guiding client.
At decision frame 224, if there is the caching server bill of previous acquisition in content supplier 202, it transmits the KEY_REQ message that comprises this bill to caching server 215.In response, caching server 215 sends KEY_REP message, as top previous the discussion.On the other hand, return decision frame 224, if content supplier 202 does not have the caching server bill, also do not have TGT, it sends AS_REQ message to KDC 204, and KDC 204 answers with AS_REP message.If there is its TGT in content supplier, then skip AS_REQ/REP.
Thereafter, content supplier 202 sends TGS_REQ message to KDC 204, and receives the TGS_REP message that comprises the caching server bill.When obtaining the buffer memory bill, content supplier 202 sends KEY_REQ message, and in this case, it does not contain the DOI object.Session id can reply ask or both within; Session rights is inapplicable, because content supplier 202 is not the consumer with caching server 215.In case set up shared key, content supplier 202 sends SEC_ESTABLISHED message (not shown) to caching server 215.Because server is initiated key management, SEC_ESTABLISHED message informing server security is set up.
Advantageously, should observedly be, same message, just TKT_CHALLENGE, AS_REQ/AS_REP, TGS_REQ/TGS_REP, KEY_REQ/KEY_REP, SECURITY_ESTABLISHED, be used in a plurality of agreements and the scene, it depends on by client still is that server is initiated key management.If server requests key management then can be used all message, comprise TKT_CHALLENGE message.Otherwise,, then adopt all message except that TKT_CHALLENGE if client is initiated key management.Should observedly be when client is initiated key management, also usually to skip fail safe and set up message.Advantageously, owing on total interface, utilize single IKMP, be easier to whether safety of analytical system.In addition, system uses same key management to protect stream content and non-stream content, comprises the book keeping operation data, only the DOI object field is changed to some extent.
Fig. 5 is a block diagram, and it describes consumer 216 the initial registration and the reception of content, and it abides by an exemplary embodiment of the present invention.
Hope can be initially signatory with central location 218 from the new consumer 216 of caching server 215 received contents.
At frame 502, consumer 216 uses web browser to visit the website (not shown) that central location 218 provides.Consumer 216 comes initial subscription and software download page, downloads and installation viewer application program, comprises any IPRM assembly.As another kind of alternative plan, viewer application program and IPRM assembly can use removable formula medium, and for example CD-ROM is distributed to the consumer.
At frame 504, consumer 216 starts reader, with SSL (security socket layer) session that is initiated to provisioning server 220.Use central location 218 certificate (not shown)s to come initiation session.Certificate is the PKI of the central location 218 of the signature that before obtained of consumer 216.After the SSL session began, consumer 216 filled in the initial subscription list, and it comprises the list that is used for user ID.Perhaps, user ID can be distributed automatically by central location.Consumer 216 then determines the local host identifier, and it and out of Memory are sent to provisioning server 220.(this is finished pellucidly by reader).
At frame 506, provisioning server 220 extracts user ID, and is converted into ESBroker TMParty's name.Party's name is consumer or the server instance of naming uniquely, and it participates in IPRM system 200.In this case, reader party name is identical with the subscriber ID that distributes to this reader.User ID is being converted to ESBroker TMAfter party's name, provisioning server 220 sends order to KDC 204, to generate new ESBroker in KDC 204 database (not shown)s TMThe party.This order also comprises consumer's hostid.
At frame 508, KDC 204 generates the supply bill that comprises supply key (session key) for consumer 216.In one embodiment of the invention, the supply key can be a symmetric key.KDC 204 uses the supply keys to authenticate message between himself and the consumer 216.To supply bill and SKS (session key seed) and return to provisioning server 220 thereafter.Because consumer 216 can not visit supply key (it is used KDC 204 secret key encryptions), consumer 216 uses SKS to come reconstruct to be positioned at the supply key of supplying within the bill.
At frame 510, except that the supply bill, consumer's 216 download configuration parameters comprise user ID, bill expired time (being included in the unencryption part of bill), KDC 204 names and/or address or the like, and (alternatively) component software, comprise ESBroker TMFinger daemon.Should observedly be, component software may be downloaded before this registration process, as the situation in the Aerocast network.Afterwards, the SSL connection is terminated.
At frame 512, ESBroker TMFinger daemon is used the configuration parameter initialization of download.
At frame 514, it is right to generate public/private keys, is used to authenticate the AS_REQ message between consumer 216 and the KDC 204.PKI is forwarded to KDC 204 from consumer 216.This realizes by using CLIENT_ENROLL_REQ message.This message comprises PKI, and consumer 216 uses to derive from and from the supply key of SKS its (symmetrically) signed.Owing to can not visit the supply key in the supply bill, consumer 216 uses one-way function to derive the supply key from SFS.Be that to software client distributing bills and the problem of supplying key software client may copy bill and key, to be transmitted to undelegated software client.For addressing this problem, consumer 216 receives SKS, rather than actual supply key.Associating SKS uses unidirectional equation to generate the supply key with the hostid of uniqueness.SKS can not be used for other Anywhere specific to particular host.In the present embodiment, the function below consumer 216 carries out produces the supply key again:
Provisioning key=SKGen -1(Host ID,SKS)
SKGen wherein -1() is one-way function; SKGen -1() can not be within rational time (for example in time) less than the bill lifetime calculate.
At frame 516, when receiving CLIENT_ENROLL_REQ message, KDC 204 searches consumer 216 in its local data base, to verify this request.If request effectively, KDC 204 stores PKI in the client database into, and it can be positioned at KDC this locality, but perhaps stores certain other the remote location of secure access into.As another kind of alternative plan, KDC 204 can use public-key and Generate Certificate, to be transmitted to consumer 216.Afterwards, transmit CLIENT_ENROL_REP message to consumer 216, it confirms that key is stored (perhaps, as another kind of alternative plan, it comprises client certificate).
At frame 518, consumer 216 is existing registered, and can get in touch the website (not shown), and the website comprises database 208, has a series of from each provider content of (comprising content supplier 202).When finding the content of wanting, consumer 216 is redirected to content supplier 202.
At frame 520, consumer 216 gets in touch the content supplier 202 that is redirected to then, and transmits caching server tabulation, the subscription service tabulation of its preference, ability of its payment content or the like.
At frame 522, content supplier 202 provides the majorized subset who buys option, and it depends on the context of particular consumer and service.For example, for the consumer who subscribes to this service, can walk around price and select screen.
At frame 524, content supplier 202 generates session right object, the purchase option that its encapsulation consumer 216 selects, the optionally set and the quoting selected content of content access rules (for example control zone).For example, when consumer 216 when content supplier asks these session rights, the session id that consumer 216 generates, it is a random number.Session right object may have the concluding time (after this time, these session rights are no longer valid), the ID of provider, or the like.Alternatively, but session right object content rule.As another kind of alternative plan, these rules can use certain out-of-band method to be delivered to caching server.
At frame 526, suitable caching server is redirected to consumer 216 in content supplier 202.In this case, content will flow and transmit from from the nearest caching server 215 of consumer 216.If consumer's 216 previous buffer memorys are used for the caching server bill of caching server 215 when signatory, then it obtains this bill again.If there is not the bill of buffer memory, it uses TGT contact KDC 204, to obtain correct caching server bill.
At frame 528, consumer 216 uses the caching server bill to caching server 215 authentications oneself, and (in same KEY_REQ message) transmits the session right object that obtains from content supplier 202 to caching server 215 simultaneously.Communicating by letter between consumer 216 and the caching server 215 uses above-mentioned KEY_REQ/KEY_REP message to finish.
At frame 530, caching server 215 selects (the purchase option that the consumer selects) to check the consumer's 216 that comprises in access rule in the session right object and the bill right and the user in the session right object.Right is the authorization data specific to consumer 216 basically, and it allows the visit to content.Set of content access rules is optionally, and this is because it can directly be delivered to caching server 215 with content.Further, caching server 215 can be collected extra content access rules from a plurality of sources alternatively.For example, access network provider (for example cable system operators) may be to applying some restriction by sending of its network.
At frame 532, if visit goes through, consumer 216 and caching server 215 negotiate content encryption keys (CEK), it is used for sending of content.
At frame 534, consumer 216 begins to order to the RTSP that caching server 215 issues are encrypted, with the description (RTSP URL) that obtains content, and in this content of request broadcast thereafter.
At frame 536, caching server 215 receives the RTSP order, with its decoding and return the RTSP response of encryption.When the RTSP command request was play specific URL, caching server 215 these specific URL of checking were that session right object is the specified person of this secured session (by the session id sign).
At frame 538, after receiving the request of playing RTSP URL, caching server 215 begins to send the RTP grouping of encryption, and caching server 215 all periodically sends the RTCP report grouping of encrypting with consumer 216.Whole RTP that are associated with same RTSP URL and RTCP grouping use same session id to encrypt, and this session id begins to record when consumer 216 receives the RTSP message of encrypting at caching server 215.
At frame 540, consumer's 216 deciphering and play content.Simultaneously, consumer 216 can issue extra RTSP order (for example suspending or the recovery play content), and it still uses same session id to encrypt.Whom caching server 215 keeps following the tracks of and checked content, and how long content has been checked that content is purchased with which kind of mechanism.Be used to the purpose of keeping accounts after this information, no matter it is directed into consumer 216 still is the advertizer.Advantageously, native system allows easily to change between from a plurality of contents of each provider, and only need import accounting information one time, for example credit number.When request content, be transferred to content supplier pellucidly about consumer's information.Consumer experience is relatively easy, and this is owing to need not to remember a plurality of fetcher codes.
Published content
When content supplier 202 wants that content is published to central server 205, use and top described identical protocol step.For example, central server 205 is set up the secure relationship with content supplier 202, sends KEY_REQ message to it, and is succeeded by KEY_REP, as described above such.
Content delivery between caching server
The caching server that requires content is by providing the source cache server ticket according to initiating authentication and key delivery process.This bill if it still is untreated, it uses its TGT to ask it from KDC 204.
Report book keeping operation data
When KDC 204 issue consumers 216 were used for the service ticket of caching server (just caching server 215), it added consumer's authorization data, for example the purchase option of subscription data and permission to this bill.Based on consumer's 216 authorization datas and the Security Object that generated and transmitted by consumer 216 by content supplier 202, caching server 215 will be authorized access rights to content to consumer 216, and record uses and purchase information.Periodically, caching server will be got in touch book keeping operation center 211, with the report accounting information.Caching server will use book keeping operation center bill to book keeping operation center authentication oneself.In case finish authentication, caching server is transferred to book keeping operation center 211 safely with the accounting information of record.Book keeping operation center 211 can obtain consumer data (book keeping operation address, credit card or the like) again from the customer database that supply center safeguards.Central location 218 can be kept accounts by the accounting system of colocated, perhaps coordinates with the accounting system that occupy home network carrier or content supplier's website.
The initial installation of caching server
Usually, caching server 215 uses with top described similar mechanism and obtains supply, and except SERVICE_KEY_REQ/SERVICE_KEY_REQ, it is used for the service key that initially obtains and upgrade it thereafter.This allows automatically update service key on schedule, thereby has reduced the chance that particular service key is endangered.
Stream content and non-stream content
The protected content that two kinds of fundamental types are arranged: stream content and non-stream content.Agreement below using is sent in the actual stream perhaps and this content-related information: stream content: RTP (real-time protocol (RTP))/RTCP (real time control protocol), RTSP (real-time streaming protocol).The non-flow transmission of content between server: stream description: the RTSP that comprises SDP (Session Description Protocol).Other non-stream content: HTTP (supply, be published to the content of catalogue); Custom protocol (content operation report) based on TCP (transmission control protocol) or UDP (User Datagram Protoco (UDP)).The stream content.In measured system, typically, the stream content uses RTP to send.Also can protect other proprietary stream protocol, for example WindowsMedia of Real and Microsoft in this IPRM system.
The RTP security service
Realized authentication, encryption and message integrity, can not check pay content to guarantee unauthorized side.
The RTP encryption mechanism
Each medium RTP grouping is all encrypted, to guarantee privacy.Two end points have the ability to negotiate specific cryptographic algorithm, as by system configuration definition and by server controls.Encryption is applicable to the payload of grouping.The RTP header has the RFC-1889 form.12 bytes come across each RTP grouping, and the CSRC identifier list only just occurs when mixed device inserts.
The RTP block encoding
Can use following processes each grouping of encoding: transmit leg is this packet lookup session id.Searching can be based on SSRC (RTP synchronisation source) or purpose IP address and udp port.(in the situation that point-to-point is sent, session id is a random number, and is all unique on two end points of this connection).In turn, the session id sign is used to encrypt the security parameter collection of this grouping.These parameters are: (1) EK:RTP encryption key.This encryption key only is used to encrypt the communication (for example always from caching server to its consumer 216) on the direction.In the IPRM system, have two-way RTP session, so each session only there is a RTP encryption key.(2) 16 byte initialization vector (IV).In first aspect, grouping main body (not comprising the RTP header) uses the block encryption in the selected CBC pattern to encrypt.In one embodiment, use AES (Advanced Encryption Standard) password.AES operates in 128 bit blocks.If last piece is shorter than it, can use special processing to encrypt it, be called RBT (residual block termination).
The RTP packet decoding
Use following processes each grouping of decoding: the recipient is this packet lookup session id.Searching can be based on SSRC (RTP synchronisation source) or source IP address and udp port.(in the situation that point-to-point is sent, session id is a random number, and is all unique on two end points of this connection).In turn, the session id sign is used to decipher the security parameter collection of this grouping.These parameters are: the EK:RTP encryption key; Initialization vector (IV), it uses one-way function to derive from from the RTP packet header.Should observedly be, to cause each grouping that unique IV is arranged because each RTP packet header comprises different sequence numbers or timestamp.
The RTCP block encoding
The RTCP grouping that the RTCP grouping of coding comprises original encryption adds the field that some are other:
● the secured session identifier
● packet sequence number
● IV (initialization vector), only needs when selected cryptographic algorithm is the block encryption of CBC pattern (cypher block chaining)
● MAC: message authentication code, with the integrality that gives information
Use following processes each grouping of encoding: use source IP address and udp port to come to be this packet lookup session id.(in the situation that point-to-point is sent, session id is a random number, and is all unique on two end points of this connection).In turn, the session id sign is used to encrypt the security parameter collection of this grouping.These parameters are: EK: media stream privacy key (identical with RTP), K MAC: message authentication key.
Then, determine sequence number.For first RTCP message of using the current safety parameter to send, it is 0, after this increases progressively 1.Then, generate random initializtion vector (IV), its size is identical with the cryptographic block size.Then, use the block encryption of selected CBC pattern to encrypt RTCP message.At present, can use the AES password.AES operates in 128 bit blocks.If last piece is shorter than it, can use special processing to encrypt it, be called RBT (residual block termination)., assemble the RTCP message of coding except that MAC, and calculate the MAC of RTCP message, and add it to identical message thereafter.
The RTCP packet decoding
Use following processes each grouping of decoding: use the session id in the header to search the security parameter collection, to decipher this grouping.These parameters are: EK: media stream privacy key (identical with RTP) K MAC: message authentication key.The MAC of calculation code message does not comprise MAC field self.MAC that checking calculates and the coupling of the value in the coded message.If they do not match, end further decoding and reporting errors.The checking sequence number is as appointment in the following son joint.If authentication failed, message are used as replay and refuse.The RTCP message of using the block encryption of selected CBC pattern to come enabling decryption of encrypted.The IV that is used for this message is comprised among the coded message.
The sequence number checking
The sequence number checking of two kinds of situations is arranged: when message receives by UDP and when it receives by TCP.Although RTCP message sends by UDP all the time, the same agreement of source codec application of rules outside RTCP.
Sequence number checking to the application message that sends by TCP
The sequence number of the message that receives is bigger than the sequence number of the previous message that receives.Surpass for the moment when sequence number increases than previous message, the recipient accepts message.If (recipient's internal buffer overflow is lost some still untreated message of coming in, and this situation just may take place.)
Sequence number checking to the application message that sends by UDP
Use sliding window protocol to verify sequence number: the big or small W of sliding window depends on the reliability of UDP transmission, and in the local configuration of each end points.Parameter W can be 32 or 64.The realization of the full blast of sliding window is to use bit-masks and bit shifting function.Before the recipient handled from first grouping in the UDP stream of secured session, first sequence number in the sliding window was initialized to 0, and last is W-1.Sequence number within all windows was received when the first time (appearance), but was rejected when repeating.All littler sequence numbers in " left side " edge than window are rejected.When the sequence number of the grouping that is authenticated that receives, is accepted this sequence number, and substituted " right side " edge of window with this sequence number when the edge is bigger than " right side " of window.Upgrade " left side " edge of window, to keep same window size.When for window (S RIGHT-W+1, S RIGHT), receive sequence number S NEW, and S NEW>S RIGHT, then new window becomes:
(S NEW-W RTCP+1,S NEW)
The RTSP coding
If the RTSP message of coding directly receives for the agency, it decodes them at once, and then they can be encoded with binary format.Yet if RTSP message is transmitted by HTTP relay agency in the middle of certain, they can be with printable ASCII coding.The binary coding of RTSP message is identical with the coding of RTCP message.In the situation that requires printable ASCII coding, then the binary coding of RTSP is carried out base-64 (base-64) coding.The RTSP that encodes as follows grouping: use the process identical to create binary coding with the RTCP grouping.If require printable ASCII, binary coding is carried out base-64 coding.Insertion<CR behind per 80 characters of base-64 codings〉<LF 〉.If it is long that last column is less than 80 characters, add another at the end<CR〉<LF 〉.
The RTSP source codec
Decode the as follows RTSP message of each coding: if RTSP message is base-64 coding, at first place to go<CR〉<LF〉character, and ASCII message base-64 is decoded as binary coding.The decoding binary coding, its with above to be used for (process) of RTCP grouping identical.In some cases, require client (for example reader) to obtain session rights, to receive this content from third party's (original server).In these cases, the client can place its session rights for this content within the DOI object in the secret key request message and transmit.For sending of point-to-point, generally use the RTSP agreement self to ask to transmit with the stream of the certain content of RTSP URL sign.The RTSP client software should be verified with the RTSP URL of safety RTSP message request really corresponding to the RTSP URL in the session rights that is associated with this secured session (it identifies with session id).
The IPRM protocol message
Be the further discussion of the protocol message listed in the his-and-hers watches 1 below.
Message AS_REQ
Message AS_REQ is sent to ESBroker TMCertificate server (KDC 204), to obtain ticket-granting ticket, the KDC client uses it to come from the server requests bill.Message comprises the sign of client, the sign of server and the tabulation of the symmetric encipherment algorithm that this client is supported.In order to check replay, this message also comprises timestamp.Provide signature, to guarantee the integrality of message.Signature can be verification and (for example HMAC) or the digital signature of encrypting.Digital certificate can be included in this message alternatively, and can substitute the PKI of preservation, certifying digital signature in the stage of back.Be used to verify encryption verification and the permanent symmetric key of client can be stored in the same customer data base.Message also comprises public key information, and it is a cryptographic key agreement institute essential (for example elliptic curve Diffie-Hellman parameter).
Message AS_REP
AS_REP is generated by KDC 204, with response AS_REQ.KDC 204 searches the key of server and client in database, and generates session key, to be used for KDC 204 authentication thereafter.KDC 204 generates ticket-granting ticket, and it has expressly and encryption section.The sign of the server in the TGT must be ' KDC ' (no quotation marks) all the time, and list separately in the field of the server field of AS_REQ message (Srealm) in the KDC field.Provide in the sign of server and the plaintext of the bill term of validity in the bill that sends.The encryption section of bill comprises name, session key and any data that other must be maintained secrecy of client.Bill also provides the encryption type of KDC 204 supports and the tabulation of verification and type.The encryption section of bill uses the private key of KDC 204 to encrypt.Message is by KDC 204 signatures, and it uses and client corresponding private key of the PKI of appointment in AS_REQ, and uses the signature algorithm of appointment in the AS_REQ.Public key information is the open part of the KDC 204 of cryptographic key agreement parameter, and indication and the selected identical cryptographic key agreement algorithm of client.The PKI of digital signature in order to checking KDC 204 can be obtained during supplying by its client.
The encryption section of AS REP
The encryption section of message comprise with bill in same information, make the client can visit the authorization data of oneself.It also comprises the sign of client, replys at first by KDC 204 particular clients establishment for this reason to verify this.Data are used the symmetric key encryption that derives from from the cryptographic key agreement algorithm.Yet the key in the encryption section of AS_REP is different with the session key in the bill.As an alternative, it is SKS: session key seed, client will use its host id that makes up oneself to produce actual session key.
TGS_REQ message
When the certificate of certification that is used for given server was obtained in hope, client was initiated the TGS exchange between client and the bill grant service device.Client may use the AS exchange to obtain the bill that is used for the bill grant service.The message format of TGS exchange is similar to the AS exchange.Main difference is that the encrypt and decrypt in the TGS exchange does not carry out under the cryptographic key agreement algorithm.As an alternative, use is from the session key of ticket-granting ticket.This message sends to bill grant service device by client, to obtain caching server bill (it can be used in the KEY_REQ).The TGT that client will obtain from AS_REP is as the part of message.The sign of message given server and the sign of client (it is in TGT).Because it is encrypted that it is identified in the TGT, the client privacy is protected (this characteristic is useful for consumer 216 in the IPRM system).The prier can not detect the user and ask which kind of service.Server uses the timestamp of client to detect replay.Session key in the TGT be used to calculate message verification and.
Message TGS REP
TGS_REP message is generated by KDC 204, with response TGS_REQ.It comprises end service ticket (issued by KDC 204, in the time must asking service, the client is presented to server).Provide in the sign of server and the plaintext of the bill term of validity in the bill that sends.The encryption section of bill comprise client field, client name and use and be server and 204 cipher key shared encrypted session key of KDC.Any other is necessary for the part that privately owned client data is included as the encryption section of bill.The encryption section of message comprises SKS (in the session key field), and client can use its (and host id) to generate actual session key, and it is used to authenticate specific application server.The encryption section of message also can comprise the client authorization data that will be presented to server.KDC 204 uses the TGT session key to sign with the verification of encryption with to message.IPRM system 2000 utilizes the authorization data in the bill of issuing consumer 216 at present.
The message ticket challenge
No matter when want to initiate key management, server by utilizing ticket challenge message.This message is not authenticated, but it comprises STID () really in its header.As used herein such, STID (source transaction identifiers) is the unique random value by promoter's selection of key management messages.
The response of client will comprise the value of this STID in the DTID header fields of replying.Even under the situation that does not have authentication, this has prevented Denial of Service attack, and wherein the opponent can trigger undesirable key management exchange.This message also comprises server field and party's name, and client uses it to search or obtain the correct bill that is used for this server.Within IPRM system 2000, application server is initiated key management with ticket challenge on the interface between content supplier's (client) and the caching server (application server).Ticket challenge message also comprises following field:
● the identifier of target protocol, key are this agreement and set up
● use the role: the sign application-specific, key is this application program and sets up.When the key management unit process when another main frame receives the request of setting up key, it will use and use the role and search local application, the key of foundation will be given it, and it will verify the content of DOI object.
● application server name and field
The message key request
Key request is sent by the client, to set up new security parameter collection.No matter when client receives ticket challenge message, it can answer with key request.Client also can use this message periodically to set up new key with server.Have effective bill when client begins, it before obtained in TGS replys.Have its service key when server begins, it can use it to decipher and verify bill.Key request comprise client's bill and encryption verification and, it is that Authentication Client is required.Message also comprises timestamp (to prevent replay attack).Message comprises following field:
● the identifier of target protocol, key are this agreement and set up.
● use the role: the sign application-specific, key is this application program and sets up.
● the current time of the main frame of client
● from the service ticket that TGS_REP obtains, it is used to identify client.
● the tabulation of the cryptographic algorithm (cipher suite) that client is supported.
● the DOI data, its be agreement specific, use specificly, and can encrypt.
● authenticator, the content of its checking DOI data, wherein this authenticator is generated by third party (for example, content supplier).
● the MAC that client generates, it is used to the integrality that gives information.
Key is replied
The key response message is sent by server, with the response key request message.Key is replied and can be comprised the sub-key that generates randomly, and it uses shared session key encryption between client and the server.The length of sub-key is that DOI is specific.Key is replied the information that comprises that some is extra, and it is required for setting up security parameter.The key response message comprises following field:
● the identifier of target protocol, key are this agreement and set up.
● use the role: the sign application-specific, key is this application program and sets up.
● the sub-key of encryption, it is used for derivative key, with the safety of protection target protocol or object.
● encrypt and identifying algorithm, it should be used to protect target protocol or object.
● the DOI object of encryption, it comprises some and uses parameter specific or that agreement is specific.
● the effective time limit of sub-key.
● whether sign, the new sub-key of its indication should automatically be consulted before old expiring.
● sign, whether it indicates the recipient of this message should answer and sets up message with fail safe.
● MAC, it is used to the integrality that gives information.
Fail safe is set up
Fail safe is set up message and is sent to server by client, has received to confirm it that key is replied and successfully set up new security parameter.When only the sign of the ACK_REQ in key is replied is set, send this message.Initiate in the situation of key management with ticket challenge at server, it may want to see this affirmation, therefore may ask it, and the ACK sign of requirement is set in key is replied.This message comprises following field:
● the identifier of target protocol, key are this agreement and set up.
● use the role: the sign application-specific, key is this application program and sets up.
● MAC, it covers the key response message of this message and front.
Message CLIENT_ENROLL_REQ
Message CLIENT_ENROLL_REQ sends to KDC 204 by client, and this client wishes to upgrade its PKI, perhaps specifies new PKI, and it and does not have the corresponding digital certificate still not in KDC 204 databases.This message can be with supply bill and verification and authenticate, this verification and with supply key (supplying bill interior session key) encryption.Provisioning server can be represented certain ESBroker TMThe party uses INIT_PRINCIPAL_REQ message to obtain the supply bill.To use a kind of out-of-band method after the provisioning server, be transmitted to client with corresponding supply key, will generate this CLIENT_ENROLL_REQ after it will supply bill.Client also can specify it will accept the KDC204 certificate (in AS_REP message) of which kind of type.If corresponding attribute (KDC 204 certificate types) does not exist, this client is not supported KDC 204 certificates of any kind.When receiving this message, whether KDC 204 will decide it should storage of public keys based on its policy, issue certificate to the client, perhaps carry out the two.KDC 204 also will determine to issue the certificate of which kind of type.Client is indifferent to the certificate which kind of type KDC 204 will issue, because it need not to resolve the certificate of oneself.When client was published certificate, it must be with it as opaque.Client only is responsible for the certificate of storage oneself, and it is included in the AS_REQ message.
Message CLIENT_ENROLL_REP
This message is replying CLIENT_ENROLL_REQ.It confirms that client public key is updated, perhaps specifies new client certificate for PKI, perhaps carries out the two.The action that KDC 204 taked before this message of transmission is based on the policy of its configuration.The verification and the authentication of encrypting of this message, it uses the supply key identical with authentication request.Although do not show, one of skill in the art will recognize that and to use and spirit of the present invention and corresponding to various other message of scope.
Media stream key management
Media stream key management is the agreement specific to IPRM, as set up the DOI_ID attribute-bit that uses in the message in ticket challenge, KEY_REQ, KEY_REP and fail safe.
Alternatively, these message portabilities are corresponding to third party's authenticator of DOI object.Generation person at the DOI object is not the sender of key management messages, but in certain other the third-party situation, this authenticator is useful.For media stream safety, in some cases, such authenticator is essential, in other situation then is not.
IPRM DOI object comprises session right object or session id: a random number, it identifies the point-to-point secured session uniquely.The generation of session id does not require strong random number generator, and any Pseudo-random number generator based on software is promptly enough.When one of end points generated session id, it guaranteed that it is unique for this main frame.No matter when detect the session id conflict, the end points that clashes can return the application error code, and the end points that generates this session id will generate another random value and retry.Notice that normally, the DOI object is encrypted within KEY_REQ or KEY_REP message.
Media Stream DOI object
Have polytype IPRM DOI object to can be used in the media stream key management:
● session rights
● session id
Session rights DOI object
Normally, wish that from caching server request secured session session rights is sent out together with KEY_REQ message when watching program as consumer 216.Session rights is obtained from content supplier 202 by consumer 216.Consumer 216 (reader software) places this DOI object within the KEY_REQ message afterwards, is verified by suitable caching server after this message.Session rights is followed by third party's authenticator, and making caching server to verify is that content supplier 202 has generated session rights authenticator therewith.
Session rights comprises session id, its sign particular content stream or distribution session, and expired time, and it is used for these session rights.Session rights comprises that also the user selects, such as it comprises:
● the purchase option that consumer 216 selects.For example, be free but buy the option instruction content, select based on subscribing to, by checking the number of times paying, perhaps by time paying (price changes according to having watched how many contents).
● the purchasing price of content
Same session rights also can comprise content rule, for example:
● restriction is distributed to particular country with this content
● restriction is distributed to the specific geographical area with this content
● the service ID tabulation, this content is provided under these service ID, for subscription
Substantially, these rules can be at random complicated with selecting, and available different form expresses, these forms comprise TLV (type-length-value) coding, XML, or the like.
Session id DOI object
Session id DOI object is used for KEY_REQ and KEY_REP message.When caching server during from another caching server request content, session id DOI object will be included in the KEY_REQ message of asking caching server to send.When caching server during from content supplier's 202 request contents, the part that session id DOI object is used as KEY_REP message sends.In this case, caching server uses TKT_CHALLENGE message to initiate the key management exchange, and the specified session ID that has no chance, and sends KEY_REP message up to it.Because the DOI object of this type is not to be created by the third party, it does not require extra third party's authenticator.
Key derivation
This key derivation process is specific to IPRM DOI_ID value, and is applicable to Media Stream and is in other target protocol under the same DOI_ID.When setting up with key management, it is used to derive from following key set with designated order in target application secret (TAS) (session key is with the connection of sub-key).Client derives from:
Go out EK, be used for the contents encryption key of output message.Length depends on the password of selection.
Go out K MAC, MAC (message authentication code) key, it is used to generate MAC, with the authentication output message.Key length depends on the message authentication algorithm of selection.
Go into EK, be used to import the contents encryption key of message.
Go into K MAC, the MAC key, it is used for authentication input message.
Application server derives from:
Go into EK
Go into K MAC
Go out EK
Go out K MAC
Notice that it is opposite going into going out the derivation order of key on client and server, Yi Bian this is to go into to communicate by letter because be used to decipher at another side at the key that is used to encrypt communication.Similarly, Yi Bian be used to verify MAC value at another side into message at the MAC key that is used to outbound message to generate MAC.
In addition, should observedly be, not every key all be used to each agreement.For example, RTP only uses EK, encryption key, and only be used for a flow on the direction, this is because in IPRM, does not have two-way RTP session (client does not postback the RTP grouping to streaming server).Cipher key derivation function is an one-way function.The key of a given derivation determines that the value of TAS (target application secret) is infeasible.
Although be that additional embodiments also is possible to the description fully of exemplary specific embodiment of the present invention above.Therefore, top description should not regarded as the restriction to scope of the present invention, this scope is determined together with the four corner of its equivalent by appending claims.

Claims (13)

1. a right management system is used for to the consumer safety ground content delivery of authorizing, and described system comprises:
Content supplier;
The consumer system is used for the request content from described content supplier;
Described content supplier generates the session right object that is used to visit described content;
KDC (KDC) is used for providing authorization data to described consumer system, and described authorization data is used to visit described content;
Caching server is used for information in the described session right object and described authorization data are compared; With
If the described authorization data of described information matches, described caching server is transmitted to described consumer system with the content of described request.
2. the system as claimed in claim 1, wherein
Described consumer system is redirected to described caching server, to receive the content of described request.
3. the system as claimed in claim 1, wherein, described caching server and described content supplier are combined as the single system that is identified.
4. the system as claimed in claim 1, wherein
Described caching server adopts stream transmission in real time, to transmit described content safely after described content is encrypted.
5. the system as claimed in claim 1, wherein
The content of described request is encrypted, to be forwarded to described consumer system.
6. system as claimed in claim 4, wherein
Described caching server and described consumer's systems exchange control messages are with the transmission of the content of supporting described request.
7. system as claimed in claim 6, wherein, the encrypted and authentication of described control messages.
8. system as claimed in claim 5, wherein
Described KDC distributing passwords key, described KDC employing symmetric key mixes with public key algorithm, to distribute described cryptographic key.
9. system as claimed in claim 5, it further comprises
The IKMP system is used for setting up key between described caching server and described consumer system.
10. system as claimed in claim 9, wherein,
Described caching server receives secret key request message from described consumer system, and described secret key request message is used for from described caching server queued session key; With
In response to described secret key request message, described caching server sends the key response message, and this key response message is used for providing described session key to described consumer system.
11. system as claimed in claim 10, wherein
Described session right object and described authorization data are included in the described secret key request message;
Wherein, described caching server compares information in the described session right object and described authorization data; With
If the described authorization data of described information matches then provides described session key to described consumer system.
12. system as claimed in claim 11, wherein
Described content supplier generates described session right object, and this session right object designated user is to the access rights of described content.
13. a right management method that is used for to the consumer safety ground content delivery of authorizing, described method comprises:
From content supplier's request content;
Generation is used to visit the session right object of described content;
Provide authorization data to the consumer system, described authorization data is used to visit described content;
Information in the described session right object and described authorization data are compared; With
If the described authorization data of described information matches is transmitted to described consumer system with the content of described request.
CNB028227603A 2001-11-15 2002-11-15 Be used for IKMP and Verification System that secure content is sent on the internet Expired - Lifetime CN100546244C (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US33472101P 2001-11-15 2001-11-15
US60/334,721 2001-11-15
US10/092,347 2002-03-04
US10/092,347 US7243366B2 (en) 2001-11-15 2002-03-04 Key management protocol and authentication system for secure internet protocol rights management architecture

Publications (2)

Publication Number Publication Date
CN1631000A CN1631000A (en) 2005-06-22
CN100546244C true CN100546244C (en) 2009-09-30

Family

ID=26785560

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB028227603A Expired - Lifetime CN100546244C (en) 2001-11-15 2002-11-15 Be used for IKMP and Verification System that secure content is sent on the internet

Country Status (9)

Country Link
US (1) US7243366B2 (en)
EP (1) EP1449347B1 (en)
JP (1) JP2005510184A (en)
KR (1) KR101078455B1 (en)
CN (1) CN100546244C (en)
AU (1) AU2002366155A1 (en)
CA (1) CA2467353C (en)
MX (1) MXPA04004630A (en)
WO (1) WO2003045036A2 (en)

Families Citing this family (188)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7058822B2 (en) 2000-03-30 2006-06-06 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US9219755B2 (en) 1996-11-08 2015-12-22 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US8079086B1 (en) 1997-11-06 2011-12-13 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US6912582B2 (en) * 2001-03-30 2005-06-28 Microsoft Corporation Service routing and web integration in a distributed multi-site user authentication system
US6831761B2 (en) * 2001-03-30 2004-12-14 Eastman Kodak Company Document scanner having a selectable range of resolutions with reduced processing
US7237108B2 (en) 2001-09-26 2007-06-26 General Instrument Corporation Encryption of streaming control protocols and their headers
US8255989B2 (en) 2001-09-26 2012-08-28 General Instrument Corporation Access control and key management system for streaming media
US7243366B2 (en) 2001-11-15 2007-07-10 General Instrument Corporation Key management protocol and authentication system for secure internet protocol rights management architecture
US7818792B2 (en) * 2002-02-04 2010-10-19 General Instrument Corporation Method and system for providing third party authentication of authorization
US20060195402A1 (en) * 2002-02-27 2006-08-31 Imagineer Software, Inc. Secure data transmission using undiscoverable or black data
US7234158B1 (en) 2002-04-01 2007-06-19 Microsoft Corporation Separate client state object and user interface domains
US7640563B2 (en) 2002-04-16 2009-12-29 Microsoft Corporation Describing media content in terms of degrees
US7073193B2 (en) * 2002-04-16 2006-07-04 Microsoft Corporation Media content descriptions
US7523490B2 (en) * 2002-05-15 2009-04-21 Microsoft Corporation Session key security protocol
US7356687B2 (en) 2002-05-21 2008-04-08 General Instrument Corporation Association of security parameters for a collection of related streaming protocols
US7356711B1 (en) 2002-05-30 2008-04-08 Microsoft Corporation Secure registration
US7617511B2 (en) * 2002-05-31 2009-11-10 Microsoft Corporation Entering programming preferences while browsing an electronic programming guide
US20030225777A1 (en) * 2002-05-31 2003-12-04 Marsh David J. Scoring and recommending media content based on user preferences
US7836466B2 (en) * 2002-06-06 2010-11-16 Microsoft Corporation Methods and systems for generating electronic program guides
US20040001081A1 (en) * 2002-06-19 2004-01-01 Marsh David J. Methods and systems for enhancing electronic program guides
US7376840B2 (en) * 2002-09-30 2008-05-20 Lucent Technologies, Inc. Streamlined service subscription in distributed architectures
US7437553B2 (en) * 2002-10-15 2008-10-14 Alten Alex I Systems and methods for providing autonomous security
JP3821086B2 (en) * 2002-11-01 2006-09-13 ソニー株式会社 Streaming system, streaming method, client terminal, data decoding method, and program
US8364951B2 (en) * 2002-12-30 2013-01-29 General Instrument Corporation System for digital rights management using distributed provisioning and authentication
US7370212B2 (en) 2003-02-25 2008-05-06 Microsoft Corporation Issuing a publisher use license off-line in a digital rights management (DRM) system
JP2004328706A (en) * 2003-03-05 2004-11-18 Toshiba Corp Transmitter, receiver, transmission control program and reception control program
RU2005129075A (en) * 2003-05-16 2006-06-10 Джапан-Вейв Инк. (Jp) UNAUTHORIZED USE OF DIGITAL CONTENT PREVENTION SYSTEM
US7926113B1 (en) 2003-06-09 2011-04-12 Tenable Network Security, Inc. System and method for managing network vulnerability analysis systems
US7792517B2 (en) * 2003-06-10 2010-09-07 Motorola, Inc. Digital content acquisition and distribution in digitial rights management enabled communications devices and methods
US7260224B1 (en) * 2003-06-30 2007-08-21 Microsoft Corporation Automated secure key transfer
US7483532B2 (en) * 2003-07-03 2009-01-27 Microsoft Corporation RTP payload format
US7861288B2 (en) * 2003-07-11 2010-12-28 Nippon Telegraph And Telephone Corporation User authentication system for providing online services based on the transmission address
EP1654665A4 (en) * 2003-08-13 2010-06-30 Microsoft Corp Routing hints
US7882251B2 (en) * 2003-08-13 2011-02-01 Microsoft Corporation Routing hints
US8266294B2 (en) * 2003-08-13 2012-09-11 Microsoft Corporation Routing hints
JP3854954B2 (en) * 2003-09-05 2006-12-06 キヤノン株式会社 Data sharing device
US9602275B2 (en) * 2003-10-28 2017-03-21 Intel Corporation Server pool kerberos authentication scheme
KR100744531B1 (en) * 2003-12-26 2007-08-01 한국전자통신연구원 System and method for managing encryption key for mobile terminal
US7987366B2 (en) * 2004-02-11 2011-07-26 Telefonaktiebolaget L M Ericsson (Publ) Key management for network elements
US20050192819A1 (en) * 2004-02-27 2005-09-01 Smith Michael D. Method and system for reducing unsolicited messages using variable pricing and conditional redemption
US7636941B2 (en) * 2004-03-10 2009-12-22 Microsoft Corporation Cross-domain authentication
US7437551B2 (en) * 2004-04-02 2008-10-14 Microsoft Corporation Public key infrastructure scalability certificate revocation status validation
US7379551B2 (en) * 2004-04-02 2008-05-27 Microsoft Corporation Method and system for recovering password protected private data via a communication network without exposing the private data
US7761918B2 (en) * 2004-04-13 2010-07-20 Tenable Network Security, Inc. System and method for scanning a network
US20060242406A1 (en) 2005-04-22 2006-10-26 Microsoft Corporation Protected computing environment
US8095658B2 (en) * 2004-05-07 2012-01-10 International Business Machines Corporation Method and system for externalizing session management using a reverse proxy server
US20050254100A1 (en) * 2004-05-17 2005-11-17 Venali, Inc. Ticket exchange for combating fax spam
CN100367700C (en) * 2004-07-02 2008-02-06 清华大学 Large scale digital live broadcast method based on digital right management
EP1621955B1 (en) * 2004-07-30 2017-06-07 Irdeto B.V. Method and device for providing access to encrypted content
GB2416879B (en) 2004-08-07 2007-04-04 Surfcontrol Plc Device resource access filtering system and method
GB2418999A (en) * 2004-09-09 2006-04-12 Surfcontrol Plc Categorizing uniform resource locators
GB2418037B (en) 2004-09-09 2007-02-28 Surfcontrol Plc System, method and apparatus for use in monitoring or controlling internet access
GB2418108B (en) * 2004-09-09 2007-06-27 Surfcontrol Plc System, method and apparatus for use in monitoring or controlling internet access
CA2577252A1 (en) * 2004-09-09 2006-03-16 Surfcontrol Plc System, method and apparatus for use in monitoring or controlling internet access
WO2006042155A2 (en) * 2004-10-08 2006-04-20 E-Klone, Inc. Floating vector scrambling methods and apparatus
US8347078B2 (en) 2004-10-18 2013-01-01 Microsoft Corporation Device certificate individualization
US8176564B2 (en) * 2004-11-15 2012-05-08 Microsoft Corporation Special PC mode entered upon detection of undesired state
US20060165227A1 (en) * 2004-11-15 2006-07-27 Microsoft Corporation System and method for distribution of provisioning packets
US8336085B2 (en) 2004-11-15 2012-12-18 Microsoft Corporation Tuning product policy using observed evidence of customer behavior
US8464348B2 (en) 2004-11-15 2013-06-11 Microsoft Corporation Isolated computing environment anchored into CPU and motherboard
US20060106920A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Method and apparatus for dynamically activating/deactivating an operating system
WO2006054662A1 (en) * 2004-11-17 2006-05-26 Pioneer Corporation Information conversion device and information conversion system
EP1829315B1 (en) * 2004-11-30 2016-08-17 Telefonaktiebolaget LM Ericsson (publ) Method for delivering multimedia files
JP4095639B2 (en) * 2004-12-22 2008-06-04 キヤノン株式会社 Image processing apparatus and image processing apparatus control method
CN100581104C (en) * 2005-01-07 2010-01-13 华为技术有限公司 Method for arranging key in IP multimedia service subsystem network
US8181266B2 (en) * 2005-01-13 2012-05-15 Samsung Electronics Co., Ltd. Method for moving a rights object between devices and a method and device for using a content object based on the moving method and device
US7908480B2 (en) * 2005-03-21 2011-03-15 Cisco Technology, Inc. Authenticating an endpoint using a STUN server
US7937753B2 (en) 2005-03-25 2011-05-03 Microsoft Corporation Method and apparatus for distributed information management
US8438645B2 (en) 2005-04-27 2013-05-07 Microsoft Corporation Secure clock with grace periods
US7757274B2 (en) * 2005-04-05 2010-07-13 Mcafee, Inc. Methods and systems for exchanging security information via peer-to-peer wireless networks
US7606370B2 (en) * 2005-04-05 2009-10-20 Mcafee, Inc. System, method and computer program product for updating security criteria in wireless networks
US7761710B2 (en) * 2005-04-05 2010-07-20 Mcafee, Inc. Captive portal system and method for use in peer-to-peer networks
US8725646B2 (en) 2005-04-15 2014-05-13 Microsoft Corporation Output protection levels
US8825551B2 (en) * 2005-04-21 2014-09-02 Google Technology Holdings LLC Digital rights management for local recording and home network distribution
US9363481B2 (en) 2005-04-22 2016-06-07 Microsoft Technology Licensing, Llc Protected media pipeline
US9436804B2 (en) 2005-04-22 2016-09-06 Microsoft Technology Licensing, Llc Establishing a unique session key using a hardware functionality scan
US20060265758A1 (en) 2005-05-20 2006-11-23 Microsoft Corporation Extensible media rights
US7684566B2 (en) 2005-05-27 2010-03-23 Microsoft Corporation Encryption scheme for streamed multimedia content protected by rights management system
US8353046B2 (en) 2005-06-08 2013-01-08 Microsoft Corporation System and method for delivery of a modular operating system
JP2007004276A (en) * 2005-06-21 2007-01-11 Sharp Corp Information providing apparatus, information providing system, information providing method, information providing program, and recording medium with the program recorded
GB0512744D0 (en) * 2005-06-22 2005-07-27 Blackspider Technologies Method and system for filtering electronic messages
US7561696B2 (en) * 2005-07-12 2009-07-14 Microsoft Corporation Delivering policy updates for protected content
US8291469B1 (en) * 2005-08-02 2012-10-16 Sprint Communications Company L.P. Communication access provider that allows a service provider to control an access interface at a customer premise
US7634816B2 (en) * 2005-08-11 2009-12-15 Microsoft Corporation Revocation information management
US8321690B2 (en) * 2005-08-11 2012-11-27 Microsoft Corporation Protecting digital media of various content types
US7720096B2 (en) * 2005-10-13 2010-05-18 Microsoft Corporation RTP payload format for VC-1
CN100527144C (en) * 2005-11-21 2009-08-12 华为技术有限公司 Method and device for accurate charging in digital copyright management
US20070154016A1 (en) * 2006-01-05 2007-07-05 Nakhjiri Madjid F Token-based distributed generation of security keying material
US20070237145A1 (en) * 2006-03-30 2007-10-11 Avaya Technology Llc Comparison based authentication in RTP
US7818264B2 (en) 2006-06-19 2010-10-19 Visa U.S.A. Inc. Track data encryption
US20070271106A1 (en) * 2006-05-19 2007-11-22 Lee David H System and method for secure internet channeling agent
KR100782854B1 (en) * 2006-08-10 2007-12-06 삼성전자주식회사 Managing content method and apparatus using remote user interface
JP4983165B2 (en) * 2006-09-05 2012-07-25 ソニー株式会社 COMMUNICATION SYSTEM AND COMMUNICATION METHOD, INFORMATION PROCESSING DEVICE AND METHOD, DEVICE, PROGRAM, AND RECORDING MEDIUM
US8412947B2 (en) * 2006-10-05 2013-04-02 Ceelox Patents, LLC System and method of secure encryption for electronic data transfer
US9654495B2 (en) * 2006-12-01 2017-05-16 Websense, Llc System and method of analyzing web addresses
US8718646B2 (en) * 2006-12-21 2014-05-06 Alcatel Lucent Methods and apparatus for distributed multimedia content supporting user mobility
GB2458094A (en) * 2007-01-09 2009-09-09 Surfcontrol On Demand Ltd URL interception and categorization in firewalls
GB2445764A (en) 2007-01-22 2008-07-23 Surfcontrol Plc Resource access filtering system and database structure for use therewith
CN101622849B (en) * 2007-02-02 2014-06-11 网圣公司 System and method for adding context to prevent data leakage over a computer network
US8015174B2 (en) * 2007-02-28 2011-09-06 Websense, Inc. System and method of controlling access to the internet
US8948394B2 (en) 2007-02-28 2015-02-03 Google Technology Holdings LLC Method and apparatus for distribution and synchronization of cryptographic context information
US20080219436A1 (en) * 2007-03-05 2008-09-11 General Instrument Corporation Method and apparatus for providing a digital rights management engine
RU2339077C1 (en) * 2007-03-13 2008-11-20 Олег Вениаминович Сахаров Method of operating conditional access system for application in computer networks and system for its realisation
KR101375670B1 (en) * 2007-05-08 2014-03-18 삼성전자주식회사 Method of encrypting and decrypting data, and Bus System using the same
GB0709527D0 (en) 2007-05-18 2007-06-27 Surfcontrol Plc Electronic messaging system, message processing apparatus and message processing method
US8392702B2 (en) * 2007-07-27 2013-03-05 General Instrument Corporation Token-based management system for PKI personalization process
WO2009043576A1 (en) * 2007-10-02 2009-04-09 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Concept for a key management in a drm system
US8745690B2 (en) * 2007-12-20 2014-06-03 Sap Ag Deriving service provider constraints from service consumer context
US20090180614A1 (en) * 2008-01-10 2009-07-16 General Instrument Corporation Content protection of internet protocol (ip)-based television and video content delivered over an ip multimedia subsystem (ims)-based network
US8370948B2 (en) * 2008-03-19 2013-02-05 Websense, Inc. System and method for analysis of electronic information dissemination events
US9015842B2 (en) 2008-03-19 2015-04-21 Websense, Inc. Method and system for protection against information stealing software
US9130986B2 (en) * 2008-03-19 2015-09-08 Websense, Inc. Method and system for protection against information stealing software
US8407784B2 (en) * 2008-03-19 2013-03-26 Websense, Inc. Method and system for protection against information stealing software
US8989388B2 (en) * 2008-04-02 2015-03-24 Cisco Technology, Inc. Distribution of storage area network encryption keys across data centers
CN101286840B (en) * 2008-05-29 2014-07-30 西安西电捷通无线网络通信股份有限公司 Key distributing method and system using public key cryptographic technique
US8462954B2 (en) * 2008-05-30 2013-06-11 Motorola Mobility Llc Content encryption using at least one content pre-key
US9548859B2 (en) * 2008-12-03 2017-01-17 Google Technology Holdings LLC Ticket-based implementation of content leasing
US20100162414A1 (en) * 2008-12-23 2010-06-24 General Instrument Corporation Digital Rights Management for Differing Domain-Size Restrictions
US9282106B2 (en) 2009-02-20 2016-03-08 Comcast Cable Communications, Llc Authenticated communication between security devices
US20100268649A1 (en) * 2009-04-17 2010-10-21 Johan Roos Method and Apparatus for Electronic Ticket Processing
US9130972B2 (en) 2009-05-26 2015-09-08 Websense, Inc. Systems and methods for efficient detection of fingerprinted data and information
CA2822185C (en) 2009-08-14 2014-04-22 Azuki Systems, Inc. Method and system for unified mobile content protection
US8761392B2 (en) * 2009-09-29 2014-06-24 Motorola Mobility Llc Digital rights management protection for content identified using a social TV service
DE102009051383A1 (en) * 2009-10-30 2011-05-12 Siemens Aktiengesellschaft Method and device for the secure transmission of data
CN101668046B (en) * 2009-10-13 2012-12-19 成都市华为赛门铁克科技有限公司 Resource caching method, device and system thereof
US20110119743A1 (en) 2009-11-17 2011-05-19 General Instrument Corporation Communication of content to event attendees
US8438270B2 (en) * 2010-01-26 2013-05-07 Tenable Network Security, Inc. System and method for correlating network identities and addresses
US8302198B2 (en) 2010-01-28 2012-10-30 Tenable Network Security, Inc. System and method for enabling remote registry service security audits
US8707440B2 (en) * 2010-03-22 2014-04-22 Tenable Network Security, Inc. System and method for passively identifying encrypted and interactive network sessions
US8549650B2 (en) 2010-05-06 2013-10-01 Tenable Network Security, Inc. System and method for three-dimensional visualization of vulnerability and asset data
WO2012012579A1 (en) 2010-07-20 2012-01-26 Verimatrix, Inc. Digital rights domain management for secure content distribution in a local network
US10122693B2 (en) 2010-10-25 2018-11-06 International Business Machines Corporation Protocol based key management
TWI420339B (en) 2010-11-10 2013-12-21 Ind Tech Res Inst Software authorization system and method
CN102546561B (en) * 2010-12-30 2016-10-05 联想(北京)有限公司 Terminal unit, server, information processing system and information processing method thereof
EP2493115A3 (en) * 2011-02-24 2017-06-21 ViXS Systems Inc. Sanctioned client device and methods for content protection
US9509504B2 (en) * 2011-08-17 2016-11-29 Red Hat, Inc. Cryptographic key manager for application servers
US20130054450A1 (en) * 2011-08-31 2013-02-28 Richard Lang Monetization of Atomized Content
US9231926B2 (en) * 2011-09-08 2016-01-05 Lexmark International, Inc. System and method for secured host-slave communication
US20130159193A1 (en) * 2011-12-19 2013-06-20 General Instrument Corporation Method and apparatus for delivering content in a communication system
EP2810206A4 (en) * 2012-01-31 2015-11-11 Hewlett Packard Development Co Selection of a configuration link to receive activation data
US9367707B2 (en) 2012-02-23 2016-06-14 Tenable Network Security, Inc. System and method for using file hashes to track data leakage and document propagation in a network
CA2873695C (en) 2012-04-01 2019-10-01 Authentify, Inc. Secure authentication in a multi-party system
US9286491B2 (en) 2012-06-07 2016-03-15 Amazon Technologies, Inc. Virtual service provider zones
US10075471B2 (en) 2012-06-07 2018-09-11 Amazon Technologies, Inc. Data loss prevention techniques
US10084818B1 (en) 2012-06-07 2018-09-25 Amazon Technologies, Inc. Flexibly configurable data modification services
US9590959B2 (en) 2013-02-12 2017-03-07 Amazon Technologies, Inc. Data security service
GB2503452A (en) * 2012-06-26 2014-01-01 Nds Ltd Supplying a request for content together with a caching recommendation to cloud equipment
US9043920B2 (en) 2012-06-27 2015-05-26 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
US9088606B2 (en) 2012-07-05 2015-07-21 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
US9117054B2 (en) 2012-12-21 2015-08-25 Websense, Inc. Method and aparatus for presence based resource management
US10211977B1 (en) 2013-02-12 2019-02-19 Amazon Technologies, Inc. Secure management of information using a security module
US10467422B1 (en) 2013-02-12 2019-11-05 Amazon Technologies, Inc. Automatic key rotation
US9705674B2 (en) 2013-02-12 2017-07-11 Amazon Technologies, Inc. Federated key management
US9300464B1 (en) 2013-02-12 2016-03-29 Amazon Technologies, Inc. Probabilistic key rotation
US9367697B1 (en) 2013-02-12 2016-06-14 Amazon Technologies, Inc. Data security with a security module
US9608813B1 (en) 2013-06-13 2017-03-28 Amazon Technologies, Inc. Key rotation techniques
US10210341B2 (en) 2013-02-12 2019-02-19 Amazon Technologies, Inc. Delayed data access
US9547771B2 (en) 2013-02-12 2017-01-17 Amazon Technologies, Inc. Policy enforcement with associated data
US9130943B1 (en) * 2013-03-11 2015-09-08 Ca, Inc. Managing communications between client applications and application resources of on-premises and cloud computing nodes
US10154025B2 (en) 2013-03-15 2018-12-11 Qualcomm Incorporated Seamless device configuration in a communication network
US9467464B2 (en) 2013-03-15 2016-10-11 Tenable Network Security, Inc. System and method for correlating log data to discover network vulnerabilities and assets
US9467425B2 (en) 2013-03-18 2016-10-11 Intel Corporation Key refresh between trusted units
US9288670B2 (en) * 2013-04-19 2016-03-15 T-Mobile Usa, Inc. Dynamic distribution of authentication sessions
US9300639B1 (en) 2013-06-13 2016-03-29 Amazon Technologies, Inc. Device coordination
US10068014B2 (en) * 2014-02-06 2018-09-04 Fastly, Inc. Security information management for content delivery
US9876991B1 (en) * 2014-02-28 2018-01-23 Concurrent Computer Corporation Hierarchical key management system for digital rights management and associated methods
US9397835B1 (en) 2014-05-21 2016-07-19 Amazon Technologies, Inc. Web of trust management in a distributed system
US9438421B1 (en) 2014-06-27 2016-09-06 Amazon Technologies, Inc. Supporting a fixed transaction rate with a variably-backed logical cryptographic key
US9866392B1 (en) 2014-09-15 2018-01-09 Amazon Technologies, Inc. Distributed system web of trust provisioning
US10171581B2 (en) 2014-12-11 2019-01-01 LiveLoop, Inc. Blended operational transformation for multi-user collaborative applications
US10469477B2 (en) 2015-03-31 2019-11-05 Amazon Technologies, Inc. Key export techniques
US10382578B2 (en) 2015-06-05 2019-08-13 Apple Inc. Provision of a lease for streaming content
WO2017044563A1 (en) * 2015-09-09 2017-03-16 Mastercard International Incorporated Method and system for intelligent storage and distribution of media keys for content delivery
KR101981203B1 (en) * 2015-09-23 2019-05-22 주식회사 엔터플 Method and apparatus for providing digital goods using synchronization of user account
CN105871797A (en) * 2015-11-19 2016-08-17 乐视云计算有限公司 Handshake method, device and system of client and server
CN107667361B (en) * 2015-12-11 2021-06-01 微软技术许可有限责任公司 Method, system, and computer-readable medium for propagating document changes
US10142107B2 (en) * 2015-12-31 2018-11-27 Microsoft Technology Licensing, Llc Token binding using trust module protected keys
DE102016125661A1 (en) * 2016-12-23 2018-06-28 Osram Gmbh Controlling at least one controllable device arranged in a region predetermined by a lighting device
US11184331B1 (en) 2016-12-30 2021-11-23 Alarm.Com Incorporated Stream encryption key management
US11917048B2 (en) * 2017-10-26 2024-02-27 Venkata Raghu Veera Mallidi Method of enabling manual selection of all possible attributes of encryption
US11350381B2 (en) 2017-10-26 2022-05-31 Benchmark Electronics, Inc. Mesh ranging and network message and slot structure for ad-hoc networks and method therefor
ES2935614T3 (en) * 2017-12-20 2023-03-08 Nagravision Sa System to secure deployed security cameras
US10819689B2 (en) * 2018-05-03 2020-10-27 Honeywell International Inc. Systems and methods for encrypted vehicle data service exchanges
US10491404B1 (en) 2018-09-12 2019-11-26 Hotpyp, Inc. Systems and methods for cryptographic key generation and authentication
CN109361663B (en) * 2018-10-10 2021-05-28 中航信托股份有限公司 Method, system and device for accessing encrypted data
US11269619B2 (en) * 2019-06-27 2022-03-08 Phosphorus Cybersecurity Inc. Firmware management for IoT devices
CN112100653B (en) * 2020-08-21 2024-02-20 北京思特奇信息技术股份有限公司 Front-end sensitive information processing method and system
CN113821835B (en) * 2021-11-24 2022-02-08 飞腾信息技术有限公司 Key management method, key management device and computing equipment

Family Cites Families (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5455953A (en) * 1993-11-03 1995-10-03 Wang Laboratories, Inc. Authorization system for obtaining in single step both identification and access rights of client to server directly from encrypted authorization ticket
US5535276A (en) * 1994-11-09 1996-07-09 Bell Atlantic Network Services, Inc. Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography
US6574661B1 (en) * 1997-09-26 2003-06-03 Mci Communications Corporation Integrated proxy interface for web based telecommunication toll-free network management using a network manager for downloading a call routing tree to client
US6591250B1 (en) * 1998-02-23 2003-07-08 Genetic Anomalies, Inc. System and method for managing virtual property
US6189146B1 (en) * 1998-03-18 2001-02-13 Microsoft Corporation System and method for software licensing
US6389541B1 (en) * 1998-05-15 2002-05-14 First Union National Bank Regulating access to digital content
JP2002523981A (en) 1998-08-20 2002-07-30 ノキア ネットワークス オサケ ユキチュア Method and apparatus for providing user multiplexing in a real-time protocol
US6519636B2 (en) * 1998-10-28 2003-02-11 International Business Machines Corporation Efficient classification, manipulation, and control of network transmissions by associating network flows with rule based functions
JP3816689B2 (en) 1999-03-31 2006-08-30 株式会社東芝 Information distribution apparatus, information reception apparatus, and communication method
US7260719B1 (en) 1999-04-13 2007-08-21 Sony Corporation Information processing system, information processing method, and information processing device
US6289455B1 (en) * 1999-09-02 2001-09-11 Crypotography Research, Inc. Method and apparatus for preventing piracy of digital content
JP2001175606A (en) * 1999-12-20 2001-06-29 Sony Corp Data processor, and data processing equipment and its method
AU2900001A (en) 2000-01-25 2001-08-07 Telefonaktiebolaget Lm Ericsson (Publ) Encryption of payload on narrow-band ip links
US7159233B2 (en) * 2000-01-28 2007-01-02 Sedna Patent Services, Llc Method and apparatus for preprocessing and postprocessing content in an interactive information distribution system
US20030236745A1 (en) * 2000-03-03 2003-12-25 Hartsell Neal D Systems and methods for billing in information management environments
US6799214B1 (en) * 2000-03-03 2004-09-28 Nec Corporation System and method for efficient content delivery using redirection pages received from the content provider original site and the mirror sites
US7155415B2 (en) * 2000-04-07 2006-12-26 Movielink Llc Secure digital content licensing system and method
US7305478B2 (en) * 2000-06-08 2007-12-04 Symbol Technologies, Inc. Bar code symbol ticketing for authorizing access in a wireless local area communications network
EP1407360A4 (en) 2000-06-16 2009-08-12 Entriq Inc Methods and systems to distribute content via a network utilizing distributed conditional access agents and secure agents, and to perform digital rights management (drm)
US7191242B1 (en) 2000-06-22 2007-03-13 Apple, Inc. Methods and apparatuses for transferring data
US20020059624A1 (en) * 2000-08-03 2002-05-16 Kazuhiro Machida Server based broadcast system, apparatus and method and recording medium and software program relating to this system
WO2002069567A2 (en) * 2000-10-26 2002-09-06 General Instrument Corporation Enforcement of rights and conditions for multimedia content
ATE552562T1 (en) 2000-11-10 2012-04-15 Aol Musicnow Llc DIGITAL CONTENT DISTRIBUTION AND SUBSCRIPTION SYSTEM
US20020133699A1 (en) * 2001-03-13 2002-09-19 Pueschel Roy Myron Method and apparatus to regulate use of freely exchanged files and streams
SE0101295D0 (en) 2001-04-10 2001-04-10 Ericsson Telefon Ab L M A method and network for delivering streaming data
US7243366B2 (en) 2001-11-15 2007-07-10 General Instrument Corporation Key management protocol and authentication system for secure internet protocol rights management architecture
US20030140257A1 (en) * 2002-01-22 2003-07-24 Petr Peterka Encryption, authentication, and key management for multimedia content pre-encryption

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
The Kerberos Network Authentication Service(V5). J.Kohl,C.Neuman.Network Working Group Request For Comments. 1993
The Kerberos Network Authentication Service(V5). J.Kohl,C.Neuman.Network Working Group Request For Comments. 1993 *
Yaksha:Augmenting Kerberos with Public Key Cryptography. Ravi Ganesan.Network and Distributed System Security. 1995
Yaksha:Augmenting Kerberos with Public Key Cryptography. Ravi Ganesan.Network and Distributed System Security. 1995 *

Also Published As

Publication number Publication date
KR20040053321A (en) 2004-06-23
WO2003045036A2 (en) 2003-05-30
US20030093694A1 (en) 2003-05-15
US7243366B2 (en) 2007-07-10
WO2003045036A3 (en) 2003-07-31
MXPA04004630A (en) 2004-09-13
CA2467353A1 (en) 2003-05-30
EP1449347B1 (en) 2012-10-17
EP1449347A2 (en) 2004-08-25
CN1631000A (en) 2005-06-22
AU2002366155A1 (en) 2003-06-10
AU2002366155A8 (en) 2003-06-10
JP2005510184A (en) 2005-04-14
CA2467353C (en) 2014-03-25
KR101078455B1 (en) 2011-10-31

Similar Documents

Publication Publication Date Title
CN100546244C (en) Be used for IKMP and Verification System that secure content is sent on the internet
CN1656772B (en) Association of security parameters for a collection of related streaming protocols
US7237108B2 (en) Encryption of streaming control protocols and their headers
JP5346025B2 (en) Security signature method, security authentication method, and IPTV system
US7818792B2 (en) Method and system for providing third party authentication of authorization
JP4674044B2 (en) System and method for providing a key management protocol that allows a client to verify authorization
AU2001269856B2 (en) Methods and systems to distribute content via a network utilizing distributed conditional access agents and secure agents, and to perform digital rights management (drm)
US7404084B2 (en) Method and system to digitally sign and deliver content in a geographically controlled manner via a network
US20030063750A1 (en) Unique on-line provisioning of user terminals allowing user authentication
US20030140257A1 (en) Encryption, authentication, and key management for multimedia content pre-encryption
US20030059053A1 (en) Key management interface to multiple and simultaneous protocols
AU2007234627B2 (en) Methods and systems to distribute content via a network utilizing distributed conditional access agents and secure agents, and to perform digital rights management (DRM)
AU2007234620B2 (en) Methods and systems to distribute content via a network utilizing distributed conditional access agents and secure agents, and to perform digital rights management (DRM)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: MOTOROLA MOBILITY LLC

Free format text: FORMER OWNER: GENERAL INSTRUMENT HOLDING CO., LTD.

Effective date: 20130924

Owner name: GENERAL INSTRUMENT HOLDING CO., LTD.

Free format text: FORMER OWNER: GENERAL INSTRUMENT CO.

Effective date: 20130924

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20130924

Address after: California, USA

Patentee after: General instrument Holdings Ltd.

Address before: American Pennsylvania

Patentee before: GENERAL INSTRUMENT Corp.

Effective date of registration: 20130924

Address after: Illinois State

Patentee after: MOTOROLA MOBILITY LLC

Address before: California, USA

Patentee before: General instrument Holdings Ltd.

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20160530

Address after: California, USA

Patentee after: Google Technology Holdings LLC

Address before: Illinois State

Patentee before: MOTOROLA MOBILITY LLC

CX01 Expiry of patent term

Granted publication date: 20090930

CX01 Expiry of patent term